Threat Awareness – Google AMP URLs Being Abused to Generate Trust for Phishing Campaigns

Cofense shares recent analysis diving into a new phishing tactic that utilizes Google Accelerated Mobile Pages (AMP), an open-source HTML framework for browser and mobile websites. By using websites hosted on Google AMP URLs, threat actors are able to gain trust with users who think they are accessing a Google domain. This tactic is designed to steal login credentials of enterprise employees and has been successful at bypassing secure email gateways to reach users inboxes.

The idea behind the tactic is simple: host a website on Google AMP to obfuscate the threat to the user and then redirect the traffic to the true malicious site. On top of this, a variety of additional obfuscation tactics are used, from image-based HTML emails countering text scanners to multiple redirects. Cofense notes that the number of phishing attacks redirecting to Google AMP spiked during mid-July, signaling criminal interest in the technique. However, the obfuscation layers make this tactic difficult for researchers to analyze. Simple blocking may not be practical due to the number of legitimate websites also hosted through Google AMP. Cofense suggests at least setting up flags so that users are aware of this tactic and its risks. Likewise, members are encouraged to discuss this latest phishing tactic with users as part of security awareness training, emphasizing the need to think before you click and verify even seemingly trusted domains. Read more at Bleeping Computer.